{"id":"CVE-2025-38558","summary":"usb: gadget: uvc: Initialize frame-based format color matching descriptor","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Initialize frame-based format color matching descriptor\n\nFix NULL pointer crash in uvcg_framebased_make due to uninitialized color\nmatching descriptor for frame-based format which was added in\ncommit f5e7bdd34aca (\"usb: gadget: uvc: Allow creating new color matching\ndescriptors\") that added handling for uncompressed and mjpeg format.\n\nCrash is seen when userspace configuration (via configfs) does not\nexplicitly define the color matching descriptor. If color_matching is not\nfound, config_group_find_item() returns NULL. The code then jumps to\nout_put_cm, where it calls config_item_put(color_matching);. If\ncolor_matching is NULL, this will dereference a null pointer, leading to a\ncrash.\n\n[    2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c\n[    2.756273] Mem abort info:\n[    2.760080]   ESR = 0x0000000096000005\n[    2.764872]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    2.771068]   SET = 0, FnV = 0\n[    2.771069]   EA = 0, S1PTW = 0\n[    2.771070]   FSC = 0x05: level 1 translation fault\n[    2.771071] Data abort info:\n[    2.771072]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[    2.771073]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    2.771074]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000\n[    2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[    2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[    2.771084] Dumping ftrace buffer:\n[    2.771085]    (ftrace buffer empty)\n[    2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G        W   E      6.6.58-android15\n[    2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)\n[    2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[    2.771141] pc : __uvcg_fill_strm+0x198/0x2cc\n[    2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771146] sp : ffffffc08140bbb0\n[    2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250\n[    2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768\n[    2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48\n[    2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00\n[    2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250\n[    2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615\n[    2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0\n[    2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a\n[    2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000\n[    2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000\n[    2.771156] Call trace:\n[    2.771157]  __uvcg_fill_strm+0x198/0x2cc\n[    2.771157]  __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771158]  uvcg_streaming_class_allow_link+0x240/0x290\n[    2.771159]  configfs_symlink+0x1f8/0x630\n[    2.771161]  vfs_symlink+0x114/0x1a0\n[    2.771163]  do_symlinkat+0x94/0x28c\n[    2.771164]  __arm64_sys_symlinkat+0x54/0x70\n[    2.771164]  invoke_syscall+0x58/0x114\n[    2.771166]  el0_svc_common+0x80/0xe0\n[    2.771168]  do_el0_svc+0x1c/0x28\n[    2.771169]  el0_svc+0x3c/0x70\n[    2.771172]  el0t_64_sync_handler+0x68/0xbc\n[    2.771173]  el0t_64_sync+0x1a8/0x1ac\n\nInitialize color matching descriptor for frame-based format to prevent\nNULL pointer crash by mirroring the handling done for uncompressed and\nmjpeg formats.","modified":"2026-03-20T12:42:55.216649Z","published":"2025-08-19T17:02:36.355Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38558.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/323a80a1a5ace319a722909c006d5bdb2a35d273"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6db61c1aa23075eeee90e083ca3f6567a5635da6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7f8576fc9d1a203d12474bf52710c7af68cae490"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38558.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38558"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7b5a58952fc3b51905c2963647485565df1e5e26"},{"fixed":"6db61c1aa23075eeee90e083ca3f6567a5635da6"},{"fixed":"7f8576fc9d1a203d12474bf52710c7af68cae490"},{"fixed":"323a80a1a5ace319a722909c006d5bdb2a35d273"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38558.json"}}],"schema_version":"1.7.5"}